Data Protection and the Information Commissioner’s Office

They deny there will be scapegoats, but there is speculation that the Information Commissioner’s Office will make use of new powers acquired on 6th April to reinforce its message on data protection. Organisations must be mindful of both heavy fines and highly negative publicity which may arise from breach of statutory requirements.

There is some useful advice on the ICO’s website - and it’s in a surprisingly digestible format.  The FAQs below are based on one introductory section.

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex and, in places, hard to understand. However, it’s underpinned by a set of eight straightforward, common-sense principles. If you make sure you handle personal data in line with the spirit of those principles, then you will go a long way towards ensuring that you comply with the letter of the law.

Does the Data Protection Act apply to me?
Only if you “process personal data”. if so, you must handle the personal data in accordance with the data protection principles. Broadly, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data.

Do I need to notify the Information Commissioner?
If you are processing personal data you usually have to notify the Information Commissioner about this. Failure to notify is a criminal offence. The main purpose of notification and the public register is transparency and openness.

Are there any exceptions?
The Act provides an exemption from notification for some organisations that process personal data only for:
- staff administration (including payroll);
- advertising, marketing and public relations in connection with your own business
- accounts and records

Do I have to reply to a subject access request?
Yes, unless an exemption applies. One of the main rights which the Act gives to individuals is the right of access to their personal data. An individual may send you a “subject access request” requiring you to tell them whether you are processing their personal data and, if so, to provide certain information.

What does “fair processing” mean?
The first data protection principle requires you to process personal data fairly and lawfully. Ensuring fairness in everything you do with people’s personal details is central to complying with your duties under the Data Protection Act. In practice, it means that you must:
•have legitimate reasons for collecting and using the personal data
•not use the data in ways that have unjustified adverse effects on the individuals concerned
•be open and honest about how you intend to use the data
•give individuals appropriate privacy notices when collecting their personal data
•handle people’s personal data only in ways they would reasonably expect
•make sure you do not do anything unlawful with the data.

What is a privacy notice?
One of the requirements of the Act’s fair processing provisions is that certain information is given to the individuals concerned. The oral or written statement that individuals are given when information about them is collected is often called a “privacy notice” or a “fair processing notice”.

Can I use personal data for a new purpose or disclose it to a third party?
It depends. You should keep within the spirit of the intended use advised when the data is collected - and you should explain your modified intentions and, at the very least, give your existing customers an easy way to opt out.

Can I send personal data overseas?
You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK.  However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.

Effective Information Security Management (ISM)

Applying ITIL, ISO/IEC20000 and ISO/IEC27000

A new paper by Jim Clinch provides a useful overview of the best practices and standards relevant to those looking to improve standards of information security in their organisations.

It’s good on explaining where information security fits within ITIL and it explains what’s in the pipeline as regards the ISO/IEC 27000 family.

Jim argues for a business-based approach, and provides a checklist of 9 steps:

1. Produce, maintain, distribute and enforce an Information Security Policy
2. Understand the current business security policy and plans
3. Understand and agree current and future business security requirements
4. Implement security controls that support the Information Security Policy
5. Document all security controls and their operation, maintenance and associated risks
6. Manage suppliers and contracts in respect of access to systems and services
7. Manage all security breaches and incidents
8. Proactively improve security controls and security risk management
9. Ensure security aspects are integrated into all other ITSM processes

>> ITIL Training Courses
>> Information Security Training
>> Download Jim’s Paper - ITIL v3 and Information Security (PDF - 1.89Mb)

Blogalot June 2009